OpenWrt Forum Archive

Topic: Setting up HotSpot -- why doesn't this work?

The content of this topic has been archived on 30 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Jeffrey Lebowski
22 Aug 2007, 00:10

Hi,

This is the second time I'm requesting help for setting up a simple, free Hotspot. (I hope someone responds this time!) I started over and imitated the technique described here (a few modifications were made)

Here is my setup:

Internet (DSL)
   |
Router (Linksys RV0041)  ---- Internal Network Clients
   |
   |
Wireless Router (Linksys WRT54GL)
   |
   |
Free Wireless Clients


The RV0041 router has IP address 192.168.0.1 and assigns IP address 192.168.0.112 to the WRT54GL (forcefully via DHCP).

Wireless Clients can resolve host names. That's about it. Ping does not work. Wireless clients are able to SSH into White Russian and ping from there.

-----------------------
/etc/firewall.user
-----------------------
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

# Original firewall.user commands here:
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
####################################

# New firewall.user commands here:

#
# INPUT
#
echo "INPUT"
echo "  * Flush"
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X

iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule

iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

echo "  * DROP"
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP

echo "  * ACCEPT"
iptables -A INPUT -j input_rule
iptables -A INPUT -j ACCEPT    # permitir de todas las ifs
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE

# Rechazar el resto de las cosas
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

#
# OUTPUT
#
echo "OUTPUT"

echo "  * DROP"
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "  * ACCEPT"
iptables -A OUTPUT -j output_rule
iptables -A OUTPUT -j ACCEPT # dejar salir todo

# Rechazar el resto de las cosas
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

#
# FORWARD
#
echo "FORWARD"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "  * DROP"
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "  * ACCEPT"
iptables -A FORWARD -j forwarding_rule
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o br0 -j ACCEPT

echo "  * MASQ"
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -j MASQUERADE
-----------------------
NVRAM
-----------------------
# switch: client DHCP
nvram set lan_ifname=br0
nvram set lan_proto=dhcp
# bridge switch+wan, wifi is not part of br0
nvram set lan_ifnames="vlan0 vlan1"

# wan is included in br0
nvram set wan_ifname=vlan1
nvram set wan_proto=none

# wifi
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=192.168.1.1
nvram set wifi_netmask=255.255.255.0

# Wireless config
nvram set wl0_mode=ap
nvram set wl0_ssid=Hookah
nvram set wan_hostname=hookah
Post #2
ciscostu
23 Aug 2007, 13:22

iptables -t nat -A POSTROUTING -j MASQUERADE

Try specifying the outgoing interface.  You probably don't want to PAT/masquerade traffic in both directions.

#example
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

Hope this helps,
Charlie

Post #3
Jeffrey Lebowski
31 Aug 2007, 18:18

After bonking my first router, I decided to rethink my whole approach. It seems like the firewall simply doesn't want to block packets with commands like: 

usr/sbin/iptables -I FOWARD -s 192.168.1.0/24 -d 192.168.0.103 -j DROP

Then I discovered that trying to block the packets at the WRT was the hard way and that packets could be separated very easily at the RV0041. I plugged the WRT into port 2 of the RV0041 and then went to the config page of the RV0041 and set port 2 to be on VLAN2 (all the other ports are on VLAN1). I also installed DD-WRT on my new WRT because it has NoCatSplash Built-In. Now everything works just dandy.

The discussion might have continued from here.